# features/jwt_secret_rotation.feature
Feature: JWT Secret Rotation
  As a system administrator
  I want to rotate JWT secrets without disrupting users
  So that we can maintain security while ensuring continuous service

  Scenario: Authentication with multiple valid JWT secrets
    Given the server is running with multiple JWT secrets
    And a user "multiuser" exists with password "testpass123"
    When I authenticate with username "multiuser" and password "testpass123"
    Then the authentication should be successful
    And I should receive a valid JWT token signed with the primary secret

  Scenario: Token validation with multiple valid secrets
    Given the server is running with multiple JWT secrets
    And a user "tokenuser" exists with password "testpass123"
    When I authenticate with username "tokenuser" and password "testpass123"
    Then the authentication should be successful
    And I should receive a valid JWT token
    When I validate a JWT token signed with the secondary secret
    Then the token should be valid
    And it should contain the correct user ID

  Scenario: Secret rotation - adding new secret while keeping old one valid
    Given the server is running with primary JWT secret
    And a user "rotateuser" exists with password "testpass123"
    When I authenticate with username "rotateuser" and password "testpass123"
    Then the authentication should be successful
    And I should receive a valid JWT token signed with the primary secret
    When I add a new secondary JWT secret to the server
    And I authenticate with username "rotateuser" and password "testpass123" again
    Then the authentication should be successful
    And I should receive a valid JWT token signed with the new secondary secret
    When I validate the old JWT token signed with primary secret
    Then the token should still be valid

  Scenario: Token rejection after secret expiration
    Given the server is running with primary and expired secondary JWT secrets
    When I use a JWT token signed with the expired secondary secret for authentication
    Then the authentication should fail
    And the response should contain error "invalid_token"

  Scenario: Graceful secret rotation with user continuity
    Given the server is running with primary JWT secret
    And a user "gracefuluser" exists with password "testpass123"
    When I authenticate with username "gracefuluser" and password "testpass123"
    Then the authentication should be successful
    And I should receive a valid JWT token signed with the primary secret
    When I add a new secondary JWT secret and rotate to it
    And I use the old JWT token signed with primary secret
    Then the token should still be valid during retention period
    When I authenticate with username "gracefuluser" and password "testpass123" after rotation
    Then the authentication should be successful
    And I should receive a valid JWT token signed with the new secondary secret